Description

In the Web application deployment descriptor, the following syntax is used to define mappings:

A string beginning with a '/' character and ending with a '/*' suffix is used for path mapping.
...

The Arquillian TestRunner servlet may not receive any requests from the Arquillian test client, if a user-defined servlet in the deployment is mapped to '/*'. This needs to be verified.

With respect to transport-guarantee requirements, the Servlet 2.5 specification also states:

The transport-guaranteeType specifies that the communication between client and server should be NONE, INTEGRAL, or CONFIDENTIAL. NONE means that the application does not require any transport guarantees. A value of INTEGRAL means that the application requires that the data sent between the client and server be sent in such a way that it can't be changed in transit. CONFIDENTIAL means that the application requires that the data be transmitted in a fashion that prevents other entities from observing the contents of the transmission. In most cases, the presence of the INTEGRAL or CONFIDENTIAL flag will indicate that the use of SSL is required.

Given the current behavior of the Arquillian test client to communicate with the SUT over HTTP and not HTTPS (when using the Servlet protocol), we'll need to verify whether:

it is necessary for the Arquillian servlet test runner to require a transport-guarantee of NONE. This might have to be tested in conjunction with a security-constraint specified for a web resource collection having url-pattern - '/*', with an accompanying transport guarantee value of INTEGRAL/CONFIDENTIAL.

injection of URLs using the @ArquillianResource annotation would fail for URLs protected by a transport-guarantee of CONFIDENTIAL. This would also require verifying whether the injected URL is usable by a unit-test.

Some of these tests are also valid for the Servlet 3.0 protocol of Arquillian. We would have to verify whether:

A value of '/*' specified for the urlPatterns attribute of a user-defined @WebServlet would prevent the Arquillian Servlet test runner from receiving any requests from the Arquillian test client.